[release-branch.go1.25] cmd/compile: fix loopbce overflow check logic

JunyangShao · gopherbot · commit 7d2dd3488cdf · 2026-04-07T12:14:36.000-07:00
addWillOverflow and subWillOverflow has an implicit assumption that y is positive, using it outside of addU and subU is really incorrect. This CL fixes those incorrect usage to use the correct logic in place. Thanks to Jakub Ciolek for reporting this issue. Fixes #78333 Fixes CVE-2026-27143 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3700 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Neal Patel <nealpatel@google.com> Change-Id: I263e8e7ac227e2a68109eb7bbd45f66569ed22ec Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3987 Commit-Queue: Damien Neil <dneil@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/763553 Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Gopher Robot <gobot@golang.org> TryBot-Bypass: Gopher Robot <gobot@golang.org> Reviewed-by: Junyang Shao <shaojunyang@google.com>
diff --git a/src/cmd/compile/internal/ssa/loopbce.go b/src/cmd/compile/internal/ssa/loopbce.go
@@ -204,9 +204,11 @@ func findIndVar(f *Func) []indVar {
 						if init.AuxInt > v {
 							return false
 						}
+						// TODO(1.27): investigate passing a smaller-magnitude overflow limit to addU
+						// for addWillOverflow.
 						v = addU(init.AuxInt, diff(v, init.AuxInt)/uint64(step)*uint64(step))
 					}
-					if addWillOverflow(v, step) {
+					if addWillOverflow(v, step, maxSignedValue(ind.Type)) {
 						return false
 					}
 					if inclusive && v != limit.AuxInt || !inclusive && v+1 != limit.AuxInt {
@@ -235,7 +237,7 @@ func findIndVar(f *Func) []indVar {
 				// ind < knn - k cannot overflow if step is at most k+1
 				return step <= k+1 && k != maxSignedValue(limit.Type)
 			} else { // step < 0
-				if limit.Op == OpConst64 {
+				if limit.isGenericIntConst() {
 					// Figure out the actual smallest value.
 					v := limit.AuxInt
 					if !inclusive {
@@ -249,9 +251,11 @@ func findIndVar(f *Func) []indVar {
 						if init.AuxInt < v {
 							return false
 						}
+						// TODO(1.27): investigate passing a smaller-magnitude underflow limit to subU
+						// for subWillUnderflow.
 						v = subU(init.AuxInt, diff(init.AuxInt, v)/uint64(-step)*uint64(-step))
 					}
-					if subWillUnderflow(v, -step) {
+					if subWillUnderflow(v, -step, minSignedValue(ind.Type)) {
 						return false
 					}
 					if inclusive && v != limit.AuxInt || !inclusive && v-1 != limit.AuxInt {
@@ -313,14 +317,22 @@ func findIndVar(f *Func) []indVar {
 	return iv
 }
 
-// addWillOverflow reports whether x+y would result in a value more than maxint.
-func addWillOverflow(x, y int64) bool {
-	return x+y < x
+// subWillUnderflow checks if x - y underflows the min value.
+// y must be positive.
+func subWillUnderflow(x, y int64, min int64) bool {
+	if y < 0 {
+		base.Fatalf("expecting positive value")
+	}
+	return x < min+y
 }
 
-// subWillUnderflow reports whether x-y would result in a value less than minint.
-func subWillUnderflow(x, y int64) bool {
-	return x-y > x
+// addWillOverflow checks if x + y overflows the max value.
+// y must be positive.
+func addWillOverflow(x, y int64, max int64) bool {
+	if y < 0 {
+		base.Fatalf("expecting positive value")
+	}
+	return x > max-y
 }
 
 // diff returns x-y as a uint64. Requires x>=y.
@@ -341,7 +353,8 @@ func addU(x int64, y uint64) int64 {
 		x += 1
 		y -= 1 << 63
 	}
-	if addWillOverflow(x, int64(y)) {
+	// TODO(1.27): investigate passing a smaller-magnitude overflow limit in here.
+	if addWillOverflow(x, int64(y), maxSignedValue(types.Types[types.TINT64])) {
 		base.Fatalf("addU overflowed %d + %d", x, y)
 	}
 	return x + int64(y)
@@ -357,7 +370,8 @@ func subU(x int64, y uint64) int64 {
 		x -= 1
 		y -= 1 << 63
 	}
-	if subWillUnderflow(x, int64(y)) {
+	// TODO(1.27): investigate passing a smaller-magnitude underflow limit in here.
+	if subWillUnderflow(x, int64(y), minSignedValue(types.Types[types.TINT64])) {
 		base.Fatalf("subU underflowed %d - %d", x, y)
 	}
 	return x - int64(y)
diff --git a/test/loopbce.go b/test/loopbce.go
@@ -469,6 +469,34 @@ func stride2(x *[7]int) int {
 	return s
 }
 
+// This loop should not be proved anything.
+func smallIntUp(arr *[128]int) {
+	for i := int8(0); i <= int8(120); i += int8(10) {
+		arr[i] = int(i)
+	}
+}
+
+// This loop should not be proved anything.
+func smallIntDown(arr *[128]int) {
+	for i := int8(0); i >= int8(-120); i -= int8(10) {
+		arr[127+i] = int(i)
+	}
+}
+
+// This loop should not be proved anything.
+func smallUintUp(arr *[128]int) {
+	for i := uint8(0); i <= uint8(250); i += uint8(10) {
+		arr[i] = int(i)
+	}
+}
+
+// This loop should not be proved anything.
+func smallUintDown(arr *[128]int) {
+	for i := uint8(255); i >= uint8(0); i -= uint8(10) {
+		arr[127+i] = int(i)
+	}
+}
+
 //go:noinline
 func useString(a string) {
 }
